Environment

Situation

Access Manager Identity (IDP) Server setup as a SAML 2 Identity Provider. A
trust relationship needs to be setup with a SAML2 3rd part Service (SP)
Provider. The 3rd party SAML2 SPs metadata was imported into the Admin Console
successfully and the changes were applied. After users successfully
authenticated to the IDP server and tried to access the SP, an error about an "invalid trusted provider' was displayed:

Error:The request to provide authentication to a service provider has failed. (300101050-039ADD61106FBB8A)

Resolution

Add the signing certificate used by the OCSP server to the NIDP-OCSP trust
store, or use the following configuration change on the IDP server to work
around / disable OCSP-CRL checking.

On Linux 3.1 IDP:

modify /var/opt/novell/tomcat5/conf/tomcat5.conf file and add

JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"

Restart Tomcat

On Linux 3.2 IDP:

modify /opt/novell/nam/idp/conf/tomcat7.conf and add

JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"

Restart Tomcat

on Windows:

Run C:\Program Files (x86)\Novell\Tomcat\bin\tomcat5w.exe

Add -Dcom.novell.nidp.serverOCSPCRL=false under the Java options on the
Java tab

Apply and restart Tomcat

Additional Information

When importing SAML metadata, references to signing and/or encryption
certificates exist. These certificates need to be validated before the trusted
provider is loaded successfully. Part of this validation process may involve
checking whether the server certificate is revocated or not - via either OCSP or
CRL checks. If the OCSP/CRL server cannot be contacted by the IDP server, the
validation process will fail and the following errors may be displayed in the
catalina.out(linux) or stdout.log(Windows). Note that the IDP Application and
SAML2 component log level must be set to DEBUG to troubeshoot SAML2 issues like
this:

We can see that the request was sent to the OCSP server but the response
returned could not be validated. Only when the OCSP server signing certificate
is imported into the NIDP OCSP trutrstore will the IDP be capable of validating
the signed response.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.